[Savannah-help-public] [sr #106474] CN in TLS certificate (savannah.*gnu.org) is too broad -- use SubjectAltNames instead.

[Daniel Kahn Gillmor]

URL:
  <http://savannah.gnu.org/support/?106474>

                 Summary: CN in TLS certificate (savannah.*gnu.org) is too
broad -- use SubjectAltNames instead.
                 Project: Savannah Administration
            Submitted by: dkg
            Submitted on: Fri 22 Aug 2008 01:02:30 PM EDT
                Category: Savannah website
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
             Assigned to: None
        Originator Email: Daniel Kahn Gillmor <address@hidden>
        Operating System: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

In the TLS certificate used by the savannah web site (both gnu and nongnu),
the subject DN appears to be:

/C=US/O=FSF/OU=Savannah/CN=savannah.*gnu.org/

The CN (the relevant piece checked by most TLS implementations against the
hostname of the server in the absence of the SubjectAltNames extension) is far
too broad.

If one was to accept this certification, the implication is that the holder
of this certificate could register "ihategnu.org", put up a server at
"savannah.ihategnu.org", and use the same certificate/keypair.  If the CA
issuing the cert (the savannah CA?  the FSF CA?) wants its certifications to
be taken seriously, it should probably avoid issuing certs with such broad
CNs.

A better strategy would be to leave the CN as savannah.gnu.org, but add the
X.509v3 SubjectAltName extension, containing two DNS names: savannah.gnu.org
and savannah.nongnu.org.





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?106474>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/